Relentless Sofacy APT Attacks Armed With Zero Days, New Backdoors

A new analysis of the Sofacy APT gang, a Russian-speaking group carrying out targeted attacks against military and government offices for close to a decade, shows a relentless wave of intrusions peaking this summer against victims in a number of NATO countries and the Ukraine.

Researchers at Kaspersky Lab this morning released their update on Sofacy, which is also known as APT28, Fancy Bear, Sednit and a handful of other monikers. The report demonstrates a barrage of zero-day vulnerabilities in Office, Java, Adobe and Windows at the group’s disposal; the zero-days are being used against targets in attacks that remained active as of last month. The gang’s malware implants were uncovered as well as its capabilities to quickly adapt to detection technologies and hit compromised machines with different backdoors so that in case one was found out, there would be fallbacks.

Sofacy’s roots go back to around 2007, Kaspersky researchers said, with the name coming from an implant used in attacks four years ago that shared some similarities with the Miniduke APT gang uncovered by Kaspersky Lab in 2013 executing espionage activity against governments in Europe.

Sofacy’s rapid capability expansion began in 2013 when a number of new backdoors and malware tools were discovered, including CORESHELL, JHUHUGIT and AZZY among others.

This summer, the AZZY implant got a facelift and was used as recently as October along with a new USB-stealing malware designed to hit air-gapped machines.

In July, researchers at iSight Partners reported that Sofacy, or Tsar Team as iSight calls them, had dropped their sixth zero day exploit in four months, two of which in Office and Java were patched during a span of a few days in July.

“Usually, when someone publishes research on a given cyber-espionage group, the group reacts: either it halts its activity or dramatically changes tactics and strategy. With Sofacy, this is not always the case. We have seen it launching attacks for several years now, and its activity has been reported by the security community multiple times,” said Costin Raiu, director of the Global Research and Analysis Team at Kaspersky Lab.

Five of the six zero days, iSight said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach. Given the underground value of unpatched and unreported vulnerabilities, this was highly unusual behavior, even for a state-sponsored cyberespionage team.

Kaspersky researchers said that it discovered the group was using a Flash and Java zero day to drop the JHUHUGIT malware implant, which became its most prevalent first-stage implant in subsequent attacks.

The updated AZZY Trojan, meanwhile, surfaced in August in attacks against higher profile victims, and including in one case, a defense contractor, Kaspersky researchers said. While the first sample was spotted on July 29 and signatures quickly added to security systems, Kaspersky researchers said that by Aug. 4, another sample was in the wild. What made the AZZY update stand out was that it was not delivered via a zero-day, instead it was delivered and installed by separate malware already on the system, a dropper called msdeltemp.dll that the attackers controlled via backdoors in order to send commands to infected machines.

“This code modification marks an unusual departure from the typical AZZY backdoors, with its C&C communication functions moved to an external DLL file,” Kaspersky researchers wrote in their report. “In the past, the Sofacy developers modified earlier AZZY backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself, so this code modularization follows the same line of thinking.”

In addition to traditional data-stealing capabilities, Sofacy also covets information stored on air-gapped machines and uses its USBSTEALER implant to drain these machines of valuable content.

This is behavior similar to that of the Equation group, one of the most sophisticated state-sponsored groups, which invested significant resources in developing more than 100 malware implants, each with their own purpose and used selectively against valuable targets.

“In 2015 its activity increased significantly, deploying no less than five 0-days, making Sofacy one of the most prolific, agile and dynamic threat actors in the arena,” Raiu said. “We have reasons to believe that these attacks will continue.”